git.samba.org
/
sfrench
/
samba-autobuild
/
.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
66c0f36
)
Now we're allowing a lower bound for auth_len, ensure we
author
Jeremy Allison
<jra@samba.org>
Fri, 6 Mar 2009 05:06:48 +0000
(21:06 -0800)
committer
Jeremy Allison
<jra@samba.org>
Fri, 6 Mar 2009 05:06:48 +0000
(21:06 -0800)
also check for an upper one (integer wrap).
Jeremy.
source3/rpc_server/srv_pipe.c
patch
|
blob
|
history
diff --git
a/source3/rpc_server/srv_pipe.c
b/source3/rpc_server/srv_pipe.c
index ac491b9e53ce6ffdd9ddc2614bfb79c7819aba7a..6becfa42e86c590fe07132b55342619288f60abe 100644
(file)
--- a/
source3/rpc_server/srv_pipe.c
+++ b/
source3/rpc_server/srv_pipe.c
@@
-2113,7
+2113,11
@@
bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
auth_len = p->hdr.auth_len;
- if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
+ if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
+ auth_len < RPC_HEADER_LEN +
+ RPC_HDR_REQ_LEN +
+ RPC_HDR_AUTH_LEN +
+ auth_len) {
DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
return False;
}